DocsLibrary
AI DEFENSE LIBRARY

📐 NIST AI RMF: AI Risk Management in Practice

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework for managing AI risk, released by the U.S. National Institute of Standards and Technology (document AI 100-1, January 2023). It helps organizations build trustworthiness considerations — safety, reliability, privacy, explainability — into the design, development, deployment, and evaluation of AI systems. This guide walks through the four AI RMF functions (GOVERN / MAP / MEASURE / MANAGE), the seven characteristics of "trustworthy AI," the profile for generative AI (NIST AI 600-1), and shows honestly where the boundary runs: SYNTREX — the defense layer of the Spectorn platform — supplies the technical part (detection, policy, an immutable audit), but on its own does not make an organization "compliant."

Spectorn is a security and compliance-perimeter platform; SYNTREX is its AI-defense layer, deployed both inside Spectorn and standalone on customers' internal perimeters. The AI RMF is a management framework; SYNTREX closes concrete technical sub-tasks within the MEASURE and MANAGE functions.


What NIST AI RMF Is and Why It Exists

The AI RMF was developed under the mandate of the National AI Initiative Act of 2020 as a voluntary, sector- and use-case-agnostic, rights-preserving framework. Its purpose is to give organizations of any size a common language and an operating model for working with AI-specific risks: data drift over time, the sociotechnical nature of the systems, model opacity, emergent behavior.

The AI RMF has two parts. The first describes how to reason about AI risk and what "trustworthy AI" is. The second is the Core: four functions broken into categories and subcategories with concrete actions and outcomes. The framework is accompanied by the AI RMF Playbook (recommended actions for each subcategory), a Roadmap (a development plan), and profiles for specific classes of systems — first and foremost the Generative AI Profile (AI 600-1).

A key feature: the AI RMF is not certified and has no force of law. It is an operating model. Its certifiable analogue is the international standard ISO/IEC 42001 (an AI management system); binding force lies with the EU AI Act. These instruments complement one another, and controls mapped to one usually support the others.


The Four AI RMF Core Functions

The AI RMF Core is organized around four functions. GOVERN is cross-cutting: it permeates and feeds the other three across all lifecycle stages. MAP, MEASURE, and MANAGE are applied in the context of a specific system.

GOVERN — a culture of risk management

Shapes and instills a culture of AI risk management across the organization: policies and procedures across the entire lifecycle, accountability structures (roles and decision-making), a risk-aware culture, stakeholder engagement, and — as a separate category — managing the risks of third-party components, data, and the supply chain. GOVERN answers the question "who is accountable and under what rules."

MAP — context and risk identification

Establishes context and identifies risks across the whole system lifecycle: understanding the context of use, categorizing the AI system, its capabilities and goals, mapping risks and benefits across all components, assessing impact on individuals, groups, and society. By the end of MAP an organization should have enough contextual knowledge to make an initial go/no-go decision.

MEASURE — analysis, evaluation, monitoring

Applies quantitative, qualitative, and mixed methods to analyze, benchmark, and monitor AI risk: selecting appropriate metrics, evaluating the system against trustworthiness characteristics, mechanisms for tracking risk over time, gathering feedback on the effectiveness of the measurements. This is where concrete vulnerabilities are assessed — for example, against the OWASP Top 10 for LLMs — and red-teaming is conducted against MITRE ATLAS.

MANAGE — prioritization and response

Allocates resources to the identified and measured risks: prioritizing and treating risks, strategies to maximize benefits and minimize harm, managing third-party risks, documenting and monitoring risk treatment. This includes incident response — a plan for response, recovery, and communication.


The Seven Characteristics of Trustworthy AI

The AI RMF defines seven characteristics that together make AI "trustworthy." They must be balanced according to context — there are unavoidable trade-offs among them. NIST's exact formulations:

  1. Valid and Reliable — the foundation for all the others: confirmed by objective evidence as meeting the requirements of the use case, and able to operate without failure under the specified conditions.
  2. Safe — under defined conditions the system should not lead to a state that endangers human life, health, property, or the environment.
  3. Secure and Resilient — maintaining confidentiality, integrity, and availability through protective mechanisms; able to withstand unexpected adverse events.
  4. Accountable and Transparent — a cross-cutting characteristic: access to information commensurate with the lifecycle stage and the participant's role.
  5. Explainable and Interpretable — the ability to understand the system's functionality and the rationale for its operation.
  6. Privacy-Enhanced — norms and practices that safeguard human autonomy, identity, and dignity.
  7. Fair – with Harmful Bias Managed — attention to equity and the avoidance of discrimination through bias management.

In this scheme Valid and Reliable is the base (a necessary condition for the rest), and Accountable and Transparent is the cross-cutting element that ties all the characteristics together. The Safe and Secure and Resilient characteristics are two distinct characteristics in the AI 100-1 document, not one (a common error in secondary sources).


Generative AI Profile (NIST AI 600-1)

In July 2024 NIST released AI 600-1 — "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile," the AI RMF profile for generative AI, prepared in fulfillment of Executive Order 14110. It extends AI 100-1 with more than 200 recommended actions organized by the same four functions and lists 12 risks unique to or amplified by generative AI:

Risk (AI 600-1)Essence
CBRN Information or CapabilitiesEasier access to information on chemical, biological, radiological, and nuclear weapons
ConfabulationConfidently presented but false content ("hallucinations")
Dangerous, Violent, or Hateful ContentEasier generation of violent, inciting, threatening content
Data PrivacyLeakage and unauthorized use/de-anonymization of personal data
Environmental ImpactsHigh consumption of compute resources during training/operation
Harmful Bias and HomogenizationAmplification of historical and systemic biases, homogenization
Human-AI ConfigurationInappropriate anthropomorphization and human-system interaction problems
Information IntegrityLowering the barrier for content that does not distinguish fact from fiction
Information SecurityLowering the barriers for offensive cyber capabilities (automated vulnerability discovery and exploitation, malware, phishing)
Intellectual PropertyEasier reproduction of copyrighted content
Obscene, Degrading, and/or Abusive ContentEasier generation of obscene content, including synthetic CSAM
Value Chain and Component IntegrationOpaque integration of third-party components and data

Several of these risks map directly onto SYNTREX's capabilities: Information Security (offensive capabilities through AI), Data Privacy (PII leakage), Information Integrity and Confabulation (dangerous output). For each, SYNTREX provides detection and an audit trail — see the map below.


How SYNTREX Helps: The Technical Part of the MEASURE and MANAGE Functions

The AI RMF is a management framework. SYNTREX does not "implement the AI RMF" in full, but it closes concrete technical sub-tasks within the MEASURE (measuring and monitoring risk) and MANAGE (treating and responding) functions, and the Decision Logger provides the immutable audit trail required in GOVERN for accountability.

Function / AI 600-1 riskWhat SYNTREX providesEngines / components
MEASURE — evaluation against input/output threatsDetection of injections, jailbreaks, dangerous outputinjection, jailbreak, output_scanner
MANAGE / Data PrivacyMasking PII and secrets before the response leavespii, secret_scanner, exfiltration
MANAGE / Information SecurityControl of the "lethal trifecta," tool abuselethal_trifecta, tool_abuse, cross_tool_guard
MEASURE — monitoring over timeEvent correlation, surfacing anomalous spikesSOC Correlation Engine
GOVERN — accountability and provabilityAn immutable log of all decisions (SHA-256/HMAC)Decision Logger
MANAGE — integrity of the agent's memory/contextMemory protection and model containmentmemory_integrity, model_containment

syntrex.yaml configuration

A profile oriented toward the technical controls of MEASURE/MANAGE and toward producing the audit trail for GOVERN:

YAML
# syntrex.yaml — profile for AI RMF technical controls (MEASURE/MANAGE) version: "1.0" mode: ai_gateway engines: injection: # MEASURE: injection detection action: block confidence_threshold: 0.7 jailbreak: # MEASURE: policy-bypass detection action: block confidence_threshold: 0.85 output_scanner: # MEASURE: dangerous/leaking output action: sanitize pii: # MANAGE: Data Privacy action: redact mask_character: "*" secret_scanner: always_on # MANAGE: secrets never leave the perimeter exfiltration: # MANAGE: Information Security action: block lethal_trifecta: # MANAGE: data + untrusted + egress action: alert tool_abuse: # MANAGE: tool abuse action: block memory_integrity: # MANAGE: integrity of the agent's context action: alert model_containment: # MANAGE: model containment action: alert audit: decision_logger: true # GOVERN: an immutable trail for accountability retention_policy: regulatory

SOC correlation rule (monitoring over time)

The MEASURE function requires tracking risk over time. An example rule that surfaces an anomalous spike as an attack indicator:

YAML
rules: - id: ALERT_FLOOD name: "Anomalous event spike (MEASURE)" description: "100+ events from one source in 60 seconds — an indicator of an attack or failure" enabled: true conditions: - threshold: count: 100 window: "60s" group_by: "source_id" action: create_incident: true severity: HIGH metadata: nist_rmf: ["MEASURE-2", "MANAGE-1"]

An honest boundary of responsibility. AI RMF compliance is an organizational task: policies, roles, processes, a culture of risk management (the whole GOVERN function, most of MAP). SYNTREX does not make an organization "compliant" on its own. It closes the technical part — detection, the Shield policy, and an immutable audit — within the MEASURE and MANAGE functions, and provides a provable trail of decisions needed for accountability. System categorization, societal impact assessment, risk appetite, and risk treatment remain with the organization.


NIST AI RMF and the Russian Market

There is no direct analogue of the AI RMF in Russia — the approach is spread across several instruments:

  • GOST R 59276-2022 ("Ensuring trust in AI systems") is the closest in spirit to the notion of "trustworthy AI"; PNST 776-2022 covers AI risk management (a preliminary national standard, the closest functional analogue of a risk framework); GOST R 59277-2020 covers AI-system classification. Russia adapts the norms of ISO/IEC JTC 1/SC 42 as national GOST standards. (GOST = the Russian national standardization system; PNST = a preliminary national standard.)
  • The Code of Ethics for AI (adopted in October 2021) is "soft," voluntary self-regulation with ethical principles; it does not contain a risk-management structure at the MAP/MEASURE/MANAGE level.
  • 152-FZ ("On Personal Data") — the Russian federal personal-data law — intersects with the Data Privacy and Privacy-Enhanced characteristics: AI systems processing personal data must meet requirements for localization, consent, and data-subject rights.
  • FSTEC — the Russian Federal Service for Technical and Export Control — sets security requirements for critical information infrastructure (CII), which apply to AI systems deployed within its perimeter.

For a Russian customer, SYNTREX supplies the same technical part (detection, PII masking under 152-FZ, an immutable audit), while the compliance program typically references the combination of GOST R 59276 + PNST 776 + 152-FZ + FSTEC orders. More on the sector specifics is in the Government and CII and Healthcare scenarios.


Frequently Asked Questions (FAQ)

What is NIST AI RMF in plain terms? It is a voluntary framework from the U.S. standards institute (NIST) that helps organizations manage AI risk. It consists of four functions — GOVERN (culture and rules), MAP (context and risk identification), MEASURE (measurement and monitoring), MANAGE (prioritization and response) — and describes seven characteristics of "trustworthy AI."

Is NIST AI RMF mandatory? No, the AI RMF is voluntary and has no force of law. Binding force belongs to the EU AI Act for systems whose output is used in the EU. The certifiable analogue of the AI RMF is ISO/IEC 42001. Many organizations use the AI RMF as a management framework on top of which they prepare for mandatory requirements.

What are the four AI RMF functions? GOVERN (cross-cutting — the culture and policies of risk management), MAP (establishing context and identifying risks), MEASURE (quantitative and qualitative evaluation, monitoring over time), and MANAGE (prioritization, risk treatment, incident response). GOVERN permeates the other three.

What does the Generative AI Profile (AI 600-1) add? It is an AI RMF profile specifically for generative AI (July 2024). It lists 12 risks unique to or amplified by GenAI — CBRN, confabulation (hallucinations), Data Privacy, Information Security, Information Integrity, and others — and provides more than 200 recommended actions tied to the same four functions.

Does SYNTREX make my organization compliant with NIST AI RMF? No, and we note this boundary honestly. AI RMF compliance is an organizational task (policies, roles, processes — the GOVERN and MAP functions). SYNTREX closes the technical part within MEASURE and MANAGE: threat detection, data masking, the Shield policy, and an immutable audit trail (Decision Logger) needed for accountability. The management loop remains with the organization.

How does AI RMF relate to MITRE ATLAS and OWASP? It is a three-layer model: the AI RMF is the strategic management layer, MITRE ATLAS is the tactical threat layer (TTPs for red teams and detection), and the OWASP Top 10 for LLMs is the operational layer of concrete vulnerabilities. ATLAS data and OWASP assessments give substance to the MEASURE and MANAGE functions.

Is there a Russian analogue of NIST AI RMF? There is no direct one. The closest instruments are PNST 776-2022 (AI risk management), GOST R 59276-2022 (trust in AI systems), plus the voluntary Code of Ethics for AI, 152-FZ (personal data), and FSTEC requirements for CII. There is as yet no single integrated framework on the scale of the AI RMF in Russia.


Sources


Related guides: MITRE ATLAS · EU AI Act · OWASP Top 10 for LLMs · Government and CII · Industry Scenarios

NIST AI RMF: AI Risk Management in Practice | Spectorn | Spectorn